Installation de Kanet / Shibboleth pour Fedora / Red Hat

Petit Wiki de travail‎ > ‎Tutoriel portail captif Kanet‎ > ‎

Installation de Kanet / Shibboleth pour Fedora / Red Hat

Résumé

Cette documentation sur Kanet a été rédigée par Xavier Marty de l'Université de Toulouse 1 Capitole.
Elle détaille d'une part l'installation et la configuration de Kanet sous F13 et REHL 6 et d'autre part la configuration du proxy pour les trois méthodes d'authentification supportées par Kanet : CAS, Radius et Shibboleth.

Vous trouverez ici un tutoriel pas à pas relatif à l'installation et la configuration de Kanet pour Ubuntu 10.10.

Installation

Nécessite vala 0.11 minimum (cf fichier)

Quelques indications

Installation minimale
Activation du service network après installation (← pour F14)

Installation de quelques packages utiles

yum install ntsysv wget openssh-clients mlocate ntp

Version FC14

Packages pour kanet

Installation possible mais problème pour la partie shibboleth

nécessité de recompilation
impossible d'utiliser les packages “officiels shibboleth” du site opensuse à cause du package curl

Nécessaire

yum install gcc
yum install libgee-devel sqlite-devel libsoup-devel json-glib-devel libdaemon-devel radiusclient-ng-devel 
yum install libnetfilter_conntrack-devel libnetfilter_queue-devel

Mise à jour du vala

yum install gnome-common intltool libtool
rpm -Uvh vala-0.11.2-1.fc15.i686.rpm vala-tools-0.11.2-1.fc15.i686.rpm vala-devel-0.11.2-1.fc15.i686.rpm

Version Centos 5

Packages obsolètes

Version RHEL 6

Ajout base epel

rpm -Uvh http://download.fedora.redhat.com/pub/epel/6/i386/epel-release-6-5.noarch.rpm

Packages nécessaires pour kanet

yum install gcc kernel-headers
yum install libsoup-devel sqlite-devel libgee-devel
yum install json-c-devel radiusclient-ng radiusclient-ng-devel
yum install gnome-common intltool libtool

Packages installations à la main … récupérer depuis la distribution fedora : http://MIRROIR_FEDORA/pub/fedora/linux/releases/14/Everything/i386/os/Packages/

rpm -Uvh json-glib-*
rpm -Uvh libdaemon-*
rpm -Uvh libnfnetlink-* libnetfilter_*
rpm -Uvh vala-*

Liste des packages installés en janvier 2011

json-glib-0.10.4-3.fc14.i686.rpm
json-glib-devel-0.10.4-3.fc14.i686.rpm
libdaemon-0.14-1.fc13.i686.rpm
libdaemon-devel-0.14-1.fc13.i686.rpm
libnetfilter_conntrack-0.0.101-1.fc13.i686.rpm
libnetfilter_conntrack-devel-0.0.101-1.fc13.i686.rpm
libnetfilter_queue-0.0.17-2.fc12.i686.rpm
libnetfilter_queue-devel-0.0.17-2.fc12.i686.rpm
libnfnetlink-1.0.0-1.fc13.i686.rpm
libnfnetlink-devel-1.0.0-1.fc13.i686.rpm
vala-0.11.2-1.fc15.i686.rpm
vala-devel-0.11.2-1.fc15.i686.rpm
vala-tools-0.11.2-1.fc15.i686.rpm

Packages services

yum install dnsmasq dhcp httpd mod_ssl

Récupération de kanet

wget http://kanet.googlecode.com/files/kanet-0.2.3.tar.bz2

Compilation

Commande

./waf configure # 1
./waf # 2
./waf install

Modifier wscript

Adapter si nécessaire le fichier wscript à la racine du dossier kanet.
Il faut modifier l'appel au vala. Par défaut l'application recherche vala, sous RedHat, il s'agit de libvala :

        # ...
        conf.check_cfg(package='libvala-0.12', uselib_store='VALA', atleast_version='0.7.10', args='--cflags --libs', mandatory=True)
        # ...

Configuration

Liens symboliques : on recopie des librairies depuis /usr/local/lib/ dans /usr/lib/

cd /usr/local/lib/
cp lib* /usr/lib/

3 librairies présentes : libKanetAuthModule.so / libkanet-dummy.so / libkanet-radiusclient.so

Modifier le fichier hosts en rajoutant la ligne
```
10.34.0.1	eduspot   eduspot.univ.fr
```

Interface interne, fichier ifcfg-eth1

DEVICE="eth1"
HWADDR="MA-MAC"
IPADDR=10.34.0.1
NETMASK=255.255.0.0
NM_CONTROLLED="yes"
ONBOOT="yes"

Activer les services au démarrage au démarrage –> httpd, dhcp, dnsmasq, shibd (cf plus bas pour ce dernier)

Configuration dhcpd.conf

#
# DHCP Server Configuration file.
#   see /usr/share/doc/dhcp*/dhcpd.conf.sample
#   see 'man 5 dhcpd.conf'
#
ddns-updates off;
option domain-name-servers 10.34.0.1;
 
default-lease-time 600;
max-lease-time 7200;
authoritative;
 
subnet 10.34.0.0 netmask 255.255.0.0 {
option routers 10.34.0.1;
option broadcast-address 10.34.255.255;
range 10.34.1.0 10.34.254.255;
}

Dnsmasq –> aucune configuration

Emplacement /usr/local/etc/kanet/

Création d'un lien symbolique

cd /etc
ln -s /usr/local/etc/kanet/kanet.conf kanet.conf

Fichier

*
	Configuration file for kanet
*/
 
{
	/*
		Server configuration
		SERVER_MODE="STANDALONE" (default) or "PROXY"
	*/
	"SERVER_MODE" : "PROXY",
	"SERVER_URL" : "https://eduspot.univ.fr",
	"SERVER_PORT" : "8181",
	"SERVER_IP" : "",
	"REDIRECT_SERVER_PORT" : "8080",
	"QUEUE_NUM" : "0",
	"SSL_CERT_FILE" : "/etc/kanet/ssl-kanet.crt",
	"SSL_KEY_FILE" : "/etc/kanet/ssl-kanet.key",
	"DEBUG" : "1",
	/*
		Persistent data,
		only sqlite is available.
	*/
	"database" : "sqlite",
	"sqlite_connection_string" : "/usr/local/var/lib/kanet/kanet.sqlite",
	"mysql_connection_string" : "Server=xxx; Port=3306; Database=xxx; uid=xxx; pwd=xxx;",
	/*
		Server behavior
	*/
	"login_page" : "https://eduspot.univ.fr/login.html",
	"captive_portal_page" : "https://eduspot.univ.fr/www/update.html",
	"cas_url" : "https://cas.univ.fr/cas/",
	"www_path" : "/var/www/html/",
	"module_path" : "/usr/lib",
	"auth_module_name" : "kanet-radiusclient",
 
 
	/*
		blacklist acls
		always rejected.
	*/
	"KANET_ACL_TYPE_BLACKLIST": [
		{ "address" : "127.0.0.1", "port" : 9090 },
		{ "port" : 8089 }
	],
	/*
		open acls
		always open
	*/
	"KANET_ACL_TYPE_OPEN": [
		{ "address" : "cas.univ.fr" },
		{ "address" : "idp.univ.fr" },
		{ "address" : "ocsp.tcs.terena.org" },
                { "address" : "ocsp.usertrust.com" },
                { "address" : "services-federation.renater.fr" }
		//{ "address" : "www.univ.fr", "port" : 443 },
		//{ "port" : 60 }
	],
	/*
		default acls
		open to authenticated users.
	*/
	"KANET_ACL_TYPE_DEFAULT": [
		{ "port" : 8089 },
		{ "port" : 443 },
		{ "port" : 80 }
	],
 
	/* Admins : comma separated login list */
	"admins": "xmarty@cas",
	/* 
		blacklist_part
	*/
	"blacklist_users" : [
		{ "login" : "colin", "message" : "hi foo ! you're login have been locked .." },
		{ "login" : "johndoe", "message" : "hi john doe ! this account is locked .." }
	],
	"default_blacklist_message" : "Your account have been locked",
 
	/* 
		auto_blacklist_acl
		used to inform user they are probably infected, if a user try to join
		one of this address, the user is automatically blacklisted and the message
		display on is login window
	*/
	"auto_blacklist_acls": [
		{ "address" : "192.168.1.45", "message" : "You're account have been temporarily locked <br/> because you're probably infected by a virus" },
		{ "port" : 45678, "message" : "You're account have been temporarily locked <br/> because you're probably infected by a virus" }
	],
	/*
		quota, in bytes or seconds. 0 is unlimited.
	*/
	"bytes_quota" : "0",
	"time_quota" : "0",
	/*
		message
		variables : $upbytes $downbytes $duration
	*/
	"update_msg" : "Up : $upbytes, Down: $downbytes, Time: $duration",
	"over_quota_msg" : "Sorry you exceed your quota",
	"blacklist_msg" : "Sorry, you're account have been locked",
    	"update_error_msg" : "An error occured during authentication process, please restart your browser"
 
}

iptables

mkdir /usr/local/scripts/
vi kanet-firewall

#!/bin/sh
 
IPT="/sbin/iptables"
 
IP_PRIVATE="10.34.0.1" # <- A MODIFIER
NTINT="eth1"
 
test -f $IPT || exit 0
 
case "$1" in
        start)
    echo -n "Loading kanet firewall's rules: "
    echo 1 > /proc/sys/net/ipv4/ip_forward
 
    # Flush table
    $IPT -t nat -F
    $IPT -t mangle -F
    $IPT -t filter -F
 
 
    $IPT -t mangle -A PREROUTING -i $NTINT -j CONNMARK --restore-mark
    $IPT -t mangle -A PREROUTING -p TCP -i $NTINT -d $IP_PRIVATE -j ACCEPT
    $IPT -t mangle -A PREROUTING -p TCP -i $NTINT -m state --state NEW -j QUEUE
 
 
 
    $IPT -t nat -A PREROUTING -p TCP -i $NTINT -j CONNMARK --save-mark
    # MARK 0xFFFFFFFF = Openacls
    $IPT -t nat -A PREROUTING -p TCP -i $NTINT -m mark --mark 0xFFFFFFFF -j ACCEPT
 
    # MARK 0xFFFFFFFE = use http-to-https redirection (Not implemented)
    #$IPT -t nat -A PREROUTING -p TCP -i $NTINT -m mark --mark 0xFFFFFFFE -j DNAT --to-destination $IP_PRIVATE
 
    # MARK 0x0 = unauthenticated - 80 is redirected to authentication page
    $IPT -t nat -A PREROUTING -p TCP --dport 80 -i $NTINT -m mark --mark 0 -j DNAT --to-destination $IP_PRIVATE:8080
 
    $IPT -A INPUT -p tcp --dport 8181 -j ACCEPT
    $IPT -A INPUT -p tcp --dport 8080 -j ACCEPT
    $IPT -A INPUT -p tcp --dport 443 -j ACCEPT
    $IPT -A INPUT -p udp --dport 53 -j ACCEPT
 
 
    # MARK 0x1 blacklistacls
    $IPT -t filter -A FORWARD -m mark --mark 0x1 -j REJECT
 
    $IPT -t nat -A POSTROUTING -m mark ! --mark 0 -j MASQUERADE
 
    echo "Done."
    ;;
  stop)
    echo -n "Flushing kanet firewall's rules: "
        echo 0  > /proc/sys/net/ipv4/ip_forward
 
    ###########################
    # FLUSH TABLES
    ###########################
    $IPT -t filter -F
    $IPT -t nat -F
    $IPT -t mangle -F
    echo "Done."
    ;;
 
  status)
    # List tables
    echo
    echo "---------- FILTER TABLE -----------"
    echo
    $IPT -t filter -L -v
    echo
    echo "----------   NAT TABLE  -----------"
    echo
    $IPT -t nat -L -v
    echo
    echo "----------   MANGLE TABLE  -----------"
    echo
    $IPT -t mangle -L -v
    echo
    ;;
        restart|force-reload)
                $0 stop
                $0 start
                echo "Done."
                ;;
 
        *)
    echo "Usage: /etc/init.d/kanet {start|stop|status|restart}"
    exit 1
    ;;
esac
 
exit 0

pages web

Récupérer les fichiers d'origine

cd /usr/local/share/kanet
cp -r * /var/www/html/

Pour l'authentification triple, utiliser le fichier login.html ci-dessous
```
 
```

Configuration Apache

httpd.conf

# ...
ServerName eduspot.univ.fr
# ...
<IfModule worker.c>
StartServers        20
MaxClients        1000
MinSpareThreads    200
MaxSpareThreads    250
ThreadsPerChild     50
MaxRequestsPerChild  0
</IfModule>
# ...
Listen 8080
Listen 443
# ...

eduspot.conf

<VirtualHost 10.34.0.1:443>
        SSLEngine On
 
        SSLCertificateFile /REP/LE_CERTIF.crt
        SSLCertificateKeyFile /REP/LE_CERTIF.key
	SSLCertificateChainFile /REP/cachain.pem
        SSLVerifyClient none
        SSLProxyEngine On
 
        Alias /www /var/www/html/
 
        ProxyPreserveHost On
        ProxyRequests On
        ProxyPass /www !
        ProxyPass /Shibboleth.sso !
        ProxyPass / http://127.0.0.1:8181/ disablereuse=on retry=0 flushpackets=on
        ProxyPassReverse / http://127.0.0.1/
        ProxyTimeout 3
 
	<location /www>
 
        </location>
 
 
        <location />
                AuthType shibboleth
                Require shibboleth
                ShibUseHeaders On
        </location>
 
        <location /login_shibboleth>
                Allow from all
                AuthType shibboleth
                ShibRequireSession On
                require valid-user
        </location>
 
 
 
        ErrorLog /var/log/httpd/error_eduspot.log
        LogLevel warn
        CustomLog /var/log/httpd/access_eduspot.log combined
 
</VirtualHost>
<VirtualHost 10.34.0.1:8080>
        RewriteEngine On
        #RedirectMatch .* https://cas.univ.fr/cas/login/?service=https://eduspot.univ.fr/login_cas/
        RedirectMatch .* https://eduspot.univ.fr/www/login.html
 
        ErrorLog /var/log/httpd/error_eduspot.log
        LogLevel warn
        CustomLog /var/log/httpd/access_eduspot.log combined
 
</VirtualHost>

Radius

Modifier les fichiers radiusclient.conf et servers

radiusclient.conf

# ...
auth_order      radius # Mettre uniquement radius et enlever local
# ...
authserver      radius.univ.fr
# ...
acctserver      radius.univ.fr
# ...

servers

# Indiquer le serveur et le pass
radius.univ.fr                           MON_PASS

SSO : CAS

Cf config kanet.conf et/ou documentation de Jérôme pour modifier à la fois le kanet.conf et le eduspot.conf (apache) pour de réaliser que des authentifications CAS.

Shibboleth

Doc installation shibboleth via compilation package pour Fedora mais à revoir …

Packages

wget -O /etc/yum.repos.d/security_shibboleth.repo http://download.opensuse.org/repositories/security:/shibboleth/RHEL_6/security:shibboleth.repo
echo "protect=1" >> /etc/yum.repos.d/security_shibboleth.repo
wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-shibboleth-security http://download.opensuse.org/repositories/security:/shibboleth/RHEL_6/repodata/repomd.xml.key
yum install xmltooling log4shib xerces-c xml-security-c xmltooling opensaml shibboleth curl-openssl

Configuration

shibboleth2.xml pour la fédération de test

<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    logger="syslog.logger" clockSkew="180">
 
    <OutOfProcess logger="shibd.logger">
    </OutOfProcess>
 
    <InProcess logger="native.logger">
        <ISAPI normalizeRequest="true" safeHeaderNames="true">
            <Site id="1" name="eduspot.univ.fr"/>
        </ISAPI>
    </InProcess>
 
    <UnixListener address="shibd.sock"/>
 
    <StorageService type="Memory" id="mem" cleanupInterval="900"/>
    <SessionCache type="StorageService" StorageService="mem" cacheTimeout="3600" inprocTimeout="900" cleanupInterval="900"/>
    <ReplayCache StorageService="mem"/>
    <ArtifactMap artifactTTL="180"/>
 
    <RequestMapper type="Native">
        <RequestMap applicationId="default">
            <Host name="eduspot.univ.fr">
                <Path name="secure" authType="shibboleth" requireSession="true"/>
            </Host>
        </RequestMap>
    </RequestMapper>
 

    <ApplicationDefaults id="default" policyId="default"
        entityID="https://eduspot.fr/login_shibboleth"
        REMOTE_USER="eppn targeted-id"
        signing="false" encryption="false">
 

        <Sessions lifetime="28800" timeout="3600" checkAddress="false"
            handlerURL="/Shibboleth.sso" handlerSSL="false"
            exportLocation="/Shibboleth.sso/GetAssertion"
            idpHistory="false" idpHistoryDays="7">
 
            <SessionInitiator type="Chaining" Location="/WAYF" id="WAYF" relayState="cookie">
                <SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/>
                <SessionInitiator type="Shib1" acsIndex="5"/>
                <SessionInitiator type="WAYF" acsIndex="5" URL="https://services-federation.renater.fr/test/wayf/"/>
            </SessionInitiator>
 
            <md:AssertionConsumerService Location="/SAML2/POST" index="1"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
            <md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
            <md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
            <md:AssertionConsumerService Location="/SAML2/ECP" index="4"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
            <md:AssertionConsumerService Location="/SAML/POST" index="5"
                Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
            <md:AssertionConsumerService Location="/SAML/Artifact" index="6"
                Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
 
            <LogoutInitiator type="Chaining" Location="/Logout" relayState="cookie">
                <LogoutInitiator type="SAML2" template="bindingTemplate.html"/>
                <LogoutInitiator type="Local"/>
            </LogoutInitiator>
 
            <md:SingleLogoutService Location="/SLO/SOAP"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
            <md:SingleLogoutService Location="/SLO/Redirect" conf:template="bindingTemplate.html"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
            <md:SingleLogoutService Location="/SLO/POST" conf:template="bindingTemplate.html"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
            <md:SingleLogoutService Location="/SLO/Artifact" conf:template="bindingTemplate.html"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
 
            <md:ManageNameIDService Location="/NIM/SOAP"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
            <md:ManageNameIDService Location="/NIM/Redirect" conf:template="bindingTemplate.html"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
            <md:ManageNameIDService Location="/NIM/POST" conf:template="bindingTemplate.html"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
            <md:ManageNameIDService Location="/NIM/Artifact" conf:template="bindingTemplate.html"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
 
            <md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
 
            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
 
            <Handler type="Status" Location="/Status" acl="127.0.0.1"/>
 
            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
 
        </Sessions>
 
        <Errors supportContact="root@localhost"
            logoLocation="/shibboleth-sp/logo.jpg"
            styleSheet="/shibboleth-sp/main.css"/>
 
        <MetadataProvider type="Chaining">

    <MetadataProvider type="XML" uri="https://services-federation.renater.fr/metadata/renater-test-metadata.xml"
                  backingFilePath="/etc/shibboleth/renater-test-metadata.xml" reloadInterval="7200">
                  <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
                  <MetadataFilter type="Signature" certificate="/etc/shibboleth/metadata-federation-renater.crt"/>
            </MetadataProvider>
 
        </MetadataProvider>
 
        <TrustEngine type="Chaining">
            <TrustEngine type="ExplicitKey"/>
            <TrustEngine type="PKIX"/>
        </TrustEngine>
 
        <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
 
        <AttributeResolver type="Query" subjectMatch="true"/>
 
        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
 
        <CredentialResolver type="File" key="/REP/LE_CERTIF.key" certificate="/REP/LE_CERTIF.crt"/>
 
    </ApplicationDefaults>
 
    <SecurityPolicies>
        <Policy id="default" validate="false">
            <PolicyRule type="MessageFlow" checkReplay="true" expires="60"/>
            <PolicyRule type="Conditions">
                <PolicyRule type="Audience"/>
            </PolicyRule>
            <PolicyRule type="ClientCertAuth" errorFatal="true"/>
            <PolicyRule type="XMLSigning" errorFatal="true"/>
            <PolicyRule type="SimpleSigning" errorFatal="true"/>
        </Policy>
    </SecurityPolicies>
 
</SPConfig>

Fichiers nécessaires

Récupérer le certificat de la fédération

wget https://services-federation.renater.fr/metadata/metadata-federation-renater.crt -O /etc/shibboleth/metadata-federation-renater.crt

Récupérer les metadata

wget https://services-federation.renater.fr/metadata/renater-test-metadata.xml -O /etc/shibboleth/renater-test-metadata.xml

Déclaration fédération renater

Informations techniques :

Identifiant : https://eduspot.univ.fr/login_shibboleth
Adresse du service : https://eduspot.univ.fr
Adresse du consommateur d'assertions : https://eduspot.univ.fr/Shibboleth.sso/SAML/POST

Récupération des IDP et CAS de la fédération

→ A REVOIR

Comments

Jérôme Bousquié

Navigation

Activités récentes sur le site